Making Sense of "Risks and Opportunities"

DEPARTMENTS

MANAGEMENT SYSTEMS

Thea Dunmire, JD, CIH, CSP, is the president of ENLAR Compliance Services, Inc., where she specializes in helping organizations implement management systems. She can be reached on her blog about management system standards at www.managementsystemexpert.com. AIHA is pleased to announce that Thea was presented with an award for Outstanding Achievement in Standards Development for her contributions to the U.S. TAG in the development of ISO 14001:2015 in August 2015. More information on the work of the U.S. TAG can be found here.

Making Sense of “Risks and Opportunities” An FAQ on ISO’s Revised Standard for Environmental Management Systems

BY THEA DUNMIRE

The revised ISO 14001 standard, Environmental management systems – Requirements with guidance for use, was published in September 2015. The standard has been completely reorganized and a number of new requirements have been added. One of these is the new requirement that the organization determine the risks and opportunities that need to be addressed to:

give assurance that the environmental management system can achieve its intended outcomes;
prevent, or reduce, undesired effects, including the potential for environmental external conditions to affect the organization; and
achieve continual improvement.

This text had its origin in Annex SL of Part 1 of the ISO Directives. Similar requirements related to the determination of “risks and opportunities” are in or will be finding their way into all ISO management system standards, including ISO 9001:2015, the quality management system standard, which was also published in September 2015, and ISO 45001, the new OHS management system standard currently being developed within ISO. So what does the requirement that the organization “determine the risks and opportunities that need to be addressed” actually mean? The answer is not entirely straightforward. There are several ambiguities in ISO 14001:2015 that organizations will need to address. Since this “risks and opportunities” requirement is new, users will need to refer to the annex to ISO 14001 and to other reference documents developed during the drafting of ISO 14001:2015 for assistance in interpreting this requirement. This article addresses some of the questions that have already been raised. WHAT ARE “RISKS AND OPPORTUNITIES” IN THE CONTEXT OF AN ENVIRONMENTAL MANAGEMENT SYSTEM? “Risks and opportunities” is defined in ISO 14001:2015 clause 3.2.11 as potential adverse effects (threats) and potential beneficial effects (opportunities). The rationale behind this definition is to have organizations primarily focus their attention on the results related to risk determinations, including both positive and negative effects, rather than simply the uncertainty related to the occurrence of events. The key thing to remember about these new requirements is that not every risk (that is, threat) and opportunity an organization faces is required to be included in this risk determination. First, there must be a nexus, or connection, to the environmental management system. For example, hazardous waste disposal risks would have a nexus to the EMS; credit card fraud risks would not. According to ISO 14001, the organization needs to consider the relationship a particular risk has to:

the organization’s important environmental issues (its “context”)
the organization’s EMS requirements, including its compliance obligations
the defined scope of the organization’s environmental management system

This determination of risk (threats and opportunities) is intended to be subjective. It is to be based on the opinions, interpretations, and judgment of those within the organization. It does not have to be an objective determination. It does not have to be based on numbers, calculations, or spreadsheets—although it can be if an organization so chooses. The determination of which risks and opportunities will be addressed in the EMS is the organization’s decision. It is not required to be based on what any particular interested party or management system auditor thinks the decision should be. To conform to the ISO 14001 standard, an organization simply needs to be able to show that it considered the nexus factors listed above when it made its EMS risk determinations.

Organizations need to keep in mind that it is not feasible to have hundreds of “top priority” action items.

DOES ISO 14001:2015 REQUIRE A FORMAL RISK ASSESSMENT? Those involved in drafting the standard have been emphatic in saying that it does not. It is up to the organization to decide what risk assessment approaches are appropriate. The organization has complete discretion in determining what it believes is best for its unique set of circumstances. The organization can choose the assessment methods, approaches, or criteria it wants. It can use a qualitative approach or it can use a quantitative approach. It can use a single approach or combination of approaches. It can create a single master risk matrix or it can use a combined risk register. These risk assessment processes can be a component of its other EMS processes, they can be part of other business processes, or they can be set up as a separate process. It is entirely up to the organization to decide which process or processes it will use. The two requirements the organization must meet are:

The process, or processes, used must be documented to the extent necessary to have confidence they are carried out as planned.
Once the risk determination is complete, the organization must record the results. In the words of the standard, the organization must “maintain documented information of the risks and opportunities that need to be addressed.”

IS THE ORGANIZATION REQUIRED TO DEVELOP A COMPLETE LIST OF ALL POTENTIAL RISKS AND OPPORTUNITIES? No. First, this is an impossibility. Since risks and opportunities are by definition in the future and the future is not certain, no one can know all potential risks and opportunities. The documentation requirement is that documentation be maintained of “the risks and opportunities that need to be addressed” (emphasis added). This does not require that all risks and opportunities be documented. It only requires that the organization document those risks and opportunities that it has determined need to be addressed within its EMS using whatever risk assessment processes it has established. It needs some kind of list. It is important to note that, since this documentation is required to be maintained, this represents an ongoing obligation. Whatever method is used to document the results of this risk determination will need to address changes—to the organization, its environment, and its compliance obligations. HOW MANY RISKS AND OPPORTUNITIES MUST AN ORGANIZATION ADDRESS WITHIN ITS EMS? There is no required number. The organization is required to determine risk and opportunities related to:

the elements of its activities, products, and services that can interact with the environment (that is, its aspects)
its legal requirements and other requirements the organization has to or chooses to comply with (its compliance obligations)
other issues and requirements it identified in its context determination

The organization is not required to identify risks for each aspect or each compliance obligation or each other issue. It is only required to consider whether there are risks that need to be addressed associated with these potential particular sources of risk. As was the case for the 2004 version of the standard, when identifying significant aspects, an organization needs to identify at least one risk (a threat or opportunity) in order to demonstrate that it has a functioning environmental management system. Again, the focus of the determination is on the risks and opportunities that need to be addressed within the EMS. In making its risk determination, organizations need to consider how many risks and opportunities they realistically have the resources to address. In particular, organizations need to keep in mind that it is not feasible to have hundreds of “top priority” action items. ONCE AN ORGANIZATION HAS CREATED ITS RISKS AND OPPORTUNITIES LIST, WHAT NEEDS TO BE DONE WITH IT? The requirements in ISO 14001:2015 are interconnected. Just as the determination of the organization’s context, its aspects, and its compliance obligations are inputs into its determination of risks and opportunities, the determination of risks and opportunities is an input into other EMS processes. The requirements in clause 6.1.1 are expressly linked to the additional planning requirements in clause 6.1.4. The planning requirements are then linked to operational control requirements in clause 8.1. Taken together, these clauses require the organization to plan and then take action to address the risks and opportunities that have been identified. In other words, clause 6.1.1 requires a risk determination; clause 6.1.4 requires the development of risk action plans; and clause 8.1 requires that these risk action plans be implemented. ISO 14001:2015 also requires that organizations check whether the management system processes they have established to address risk are effective. Clause 6.1.4 requires the organization to plan how it will evaluate the effectiveness of the actions taken to address risk. Clause 8.1 requires the organization to establish operating criteria for its risk control processes. Clause 9.1.1 requires the organization to monitor, measure, analyze, and evaluate its environmental performance. In summary, the plan-do-check-act (PDCA) focus on addressing significant aspects that was embedded in ISO 14001:2004 now applies to environmental risks and opportunities as well.

thesynergist | TOC | NEWSWATCH | DEPARTMENTS | COMMUNITY